aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--manifests/base.pp96
-rw-r--r--manifests/client.pp23
-rw-r--r--manifests/client/base.pp9
-rw-r--r--manifests/client/debian.pp5
-rw-r--r--manifests/client/linux.pp5
-rw-r--r--manifests/debian.pp13
-rw-r--r--manifests/gentoo.pp5
-rw-r--r--manifests/init.pp186
-rw-r--r--manifests/linux.pp8
-rw-r--r--manifests/openbsd.pp8
-rw-r--r--manifests/redhat.pp5
-rw-r--r--manifests/ssh_authorized_key.pp36
12 files changed, 196 insertions, 203 deletions
diff --git a/manifests/base.pp b/manifests/base.pp
new file mode 100644
index 0000000..2f2f973
--- /dev/null
+++ b/manifests/base.pp
@@ -0,0 +1,96 @@
+class sshd::base {
+ # prepare variables to use in templates
+ case $sshd_listen_address {
+ '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
+ }
+ case $sshd_allowed_users {
+ '': { $sshd_allowed_users = '' }
+ }
+ case $sshd_allowed_groups {
+ '': { $sshd_allowed_groups = '' }
+ }
+ case $sshd_use_pam {
+ '': { $sshd_use_pam = 'no' }
+ }
+ case $sshd_permit_root_login {
+ '': { $sshd_permit_root_login = 'without-password' }
+ }
+ case $sshd_password_authentication {
+ '': { $sshd_password_authentication = 'no' }
+ }
+ case $sshd_tcp_forwarding {
+ '': { $sshd_tcp_forwarding = 'no' }
+ }
+ case $sshd_x11_forwarding {
+ '': { $sshd_x11_forwarding = 'no' }
+ }
+ case $sshd_agent_forwarding {
+ '': { $sshd_agent_forwarding = 'no' }
+ }
+ case $sshd_challenge_response_authentication {
+ '': { $sshd_challenge_response_authentication = 'no' }
+ }
+ case $sshd_pubkey_authentication {
+ '': { $sshd_pubkey_authentication = 'yes' }
+ }
+ case $sshd_rsa_authentication {
+ '': { $sshd_rsa_authentication = 'no' }
+ }
+ case $sshd_strict_modes {
+ '': { $sshd_strict_modes = 'yes' }
+ }
+ case $sshd_ignore_rhosts {
+ '': { $sshd_ignore_rhosts = 'yes' }
+ }
+ case $sshd_rhosts_rsa_authentication {
+ '': { $sshd_rhosts_rsa_authentication = 'no' }
+ }
+ case $sshd_hostbased_authentication {
+ '': { $sshd_hostbased_authentication = 'no' }
+ }
+ case $sshd_permit_empty_passwords {
+ '': { $sshd_permit_empty_passwords = 'no' }
+ }
+ case $sshd_port {
+ '': { $sshd_port = 22 }
+ }
+ case $sshd_authorized_keys_file {
+ '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
+ }
+ case $sshd_sftp_subsystem {
+ '': { $sshd_sftp_subsystem = '' }
+ }
+ case $sshd_additional_options {
+ '': { $sshd_additional_options = '' }
+ }
+
+ file { 'sshd_config':
+ path => '/etc/ssh/sshd_config',
+ owner => root,
+ group => 0,
+ mode => 600,
+ content => $lsbdistcodename ? {
+ '' => template("sshd/sshd_config/${operatingsystem}.erb"),
+ default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
+ },
+ notify => Service[sshd],
+ }
+ # Now add the key, if we've got one
+ case $sshrsakey_key {
+ '': { info("no sshrsakey on $fqdn") }
+ default: {
+ @@sshkey{"$hostname.$domain":
+ type => ssh-rsa,
+ key => $sshrsakey_key,
+ ensure => present,
+ }
+ }
+ }
+ service{'sshd':
+ name => 'sshd',
+ enable => true,
+ ensure => running,
+ hasstatus => true,
+ require => File[sshd_config],
+ }
+}
diff --git a/manifests/client.pp b/manifests/client.pp
index 34308b4..2fc3a84 100644
--- a/manifests/client.pp
+++ b/manifests/client.pp
@@ -10,26 +10,7 @@ class sshd::client {
}
}
}
-}
-
-class sshd::client::base {
- # this is needed because the gid might have changed
- file { '/etc/ssh/ssh_known_hosts':
- mode => 0644, owner => root, group => 0;
- }
-
- # Now collect all server keys
- Sshkey <<||>>
-}
-
-class sshd::client::linux inherits sshd::client::base {
- package {'openssh-clients':
- ensure => installed,
- }
-}
-
-class sshd::client::debian inherits sshd::client::linux {
- Package['openssh-clients']{
- name => 'openssh-client',
+ if $use_shorewall{
+ include shorewall::rules::out::ssh
}
}
diff --git a/manifests/client/base.pp b/manifests/client/base.pp
new file mode 100644
index 0000000..2c3e31f
--- /dev/null
+++ b/manifests/client/base.pp
@@ -0,0 +1,9 @@
+class sshd::client::base {
+ # this is needed because the gid might have changed
+ file { '/etc/ssh/ssh_known_hosts':
+ mode => 0644, owner => root, group => 0;
+ }
+
+ # Now collect all server keys
+ Sshkey <<||>>
+}
diff --git a/manifests/client/debian.pp b/manifests/client/debian.pp
new file mode 100644
index 0000000..9ca6da9
--- /dev/null
+++ b/manifests/client/debian.pp
@@ -0,0 +1,5 @@
+class sshd::client::debian inherits sshd::client::linux {
+ Package['openssh-clients']{
+ name => 'openssh-client',
+ }
+}
diff --git a/manifests/client/linux.pp b/manifests/client/linux.pp
new file mode 100644
index 0000000..522fa50
--- /dev/null
+++ b/manifests/client/linux.pp
@@ -0,0 +1,5 @@
+class sshd::client::linux inherits sshd::client::base {
+ package {'openssh-clients':
+ ensure => installed,
+ }
+}
diff --git a/manifests/debian.pp b/manifests/debian.pp
new file mode 100644
index 0000000..555cf12
--- /dev/null
+++ b/manifests/debian.pp
@@ -0,0 +1,13 @@
+class sshd::debian inherits sshd::linux {
+
+ # the templates for Debian need lsbdistcodename
+ include assert_lsbdistcodename
+
+ Package[openssh]{
+ name => 'openssh-server',
+ }
+ Service[sshd]{
+ name => 'ssh',
+ hasstatus => false,
+ }
+}
diff --git a/manifests/gentoo.pp b/manifests/gentoo.pp
new file mode 100644
index 0000000..f56a96d
--- /dev/null
+++ b/manifests/gentoo.pp
@@ -0,0 +1,5 @@
+class sshd::gentoo inherits sshd::linux {
+ Package[openssh]{
+ category => 'net-misc',
+ }
+}
diff --git a/manifests/init.pp b/manifests/init.pp
index 04484ca..cece69e 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -123,198 +123,20 @@ class sshd {
case $operatingsystem {
gentoo: { include sshd::gentoo }
- redhat: { include sshd::redhat }
+ redhat,centos: { include sshd::redhat }
centos: { include sshd::centos }
openbsd: { include sshd::openbsd }
- debian: { include sshd::debian }
- ubuntu: { include sshd::ubuntu }
+ debian,ubuntu: { include sshd::debian }
default: { include sshd::default }
}
-}
-
-class sshd::base {
- # prepare variables to use in templates
- case $sshd_listen_address {
- '': { $sshd_listen_address = [ '0.0.0.0', '::' ] }
- }
- case $sshd_allowed_users {
- '': { $sshd_allowed_users = '' }
- }
- case $sshd_allowed_groups {
- '': { $sshd_allowed_groups = '' }
- }
- case $sshd_use_pam {
- '': { $sshd_use_pam = 'no' }
- }
- case $sshd_permit_root_login {
- '': { $sshd_permit_root_login = 'without-password' }
- }
- case $sshd_password_authentication {
- '': { $sshd_password_authentication = 'no' }
- }
- case $sshd_tcp_forwarding {
- '': { $sshd_tcp_forwarding = 'no' }
- }
- case $sshd_x11_forwarding {
- '': { $sshd_x11_forwarding = 'no' }
- }
- case $sshd_agent_forwarding {
- '': { $sshd_agent_forwarding = 'no' }
- }
- case $sshd_challenge_response_authentication {
- '': { $sshd_challenge_response_authentication = 'no' }
- }
- case $sshd_pubkey_authentication {
- '': { $sshd_pubkey_authentication = 'yes' }
- }
- case $sshd_rsa_authentication {
- '': { $sshd_rsa_authentication = 'no' }
- }
- case $sshd_strict_modes {
- '': { $sshd_strict_modes = 'yes' }
- }
- case $sshd_ignore_rhosts {
- '': { $sshd_ignore_rhosts = 'yes' }
- }
- case $sshd_rhosts_rsa_authentication {
- '': { $sshd_rhosts_rsa_authentication = 'no' }
- }
- case $sshd_hostbased_authentication {
- '': { $sshd_hostbased_authentication = 'no' }
- }
- case $sshd_permit_empty_passwords {
- '': { $sshd_permit_empty_passwords = 'no' }
- }
- case $sshd_port {
- '': { $sshd_port = 22 }
- }
- case $sshd_authorized_keys_file {
- '': { $sshd_authorized_keys_file = "%h/.ssh/authorized_keys" }
- }
- case $sshd_sftp_subsystem {
- '': { $sshd_sftp_subsystem = '' }
- }
- case $sshd_additional_options {
- '': { $sshd_additional_options = '' }
- }
-
- file { 'sshd_config':
- path => '/etc/ssh/sshd_config',
- owner => root,
- group => 0,
- mode => 600,
- content => $lsbdistcodename ? {
- '' => template("sshd/sshd_config/${operatingsystem}.erb"),
- default => template ("sshd/sshd_config/${operatingsystem}_${lsbdistcodename}.erb"),
- },
- notify => Service[sshd],
- }
- # Now add the key, if we've got one
- case $sshrsakey_key {
- '': { info("no sshrsakey on $fqdn") }
- default: {
- @@sshkey{"$hostname.$domain":
- type => ssh-rsa,
- key => $sshrsakey_key,
- ensure => present,
- }
- }
- }
- service{'sshd':
- name => 'sshd',
- enable => true,
- ensure => running,
- hasstatus => true,
- require => File[sshd_config],
- }
if $use_nagios {
if $nagios_check_ssh {
nagios::service{ "ssh_${fqdn}_port_${sshd_port}": check_command => "ssh_port!$sshd_port" }
}
}
-}
-
-class sshd::linux inherits sshd::base {
- package{openssh:
- ensure => present,
- }
- File[sshd_config]{
- require +> Package[openssh],
- }
-}
-
-class sshd::gentoo inherits sshd::linux {
- Package[openssh]{
- category => 'net-misc',
- }
-}
-
-class sshd::debian inherits sshd::linux {
-
- # the templates for Debian need lsbdistcodename
- include assert_lsbdistcodename
-
- Package[openssh]{
- name => 'openssh-server',
- }
- Service[sshd]{
- name => 'ssh',
- hasstatus => false,
- }
-}
-class sshd::ubuntu inherits sshd::debian {}
-
-class sshd::redhat inherits sshd::linux {
- Package[openssh]{
- name => 'openssh-server',
- }
-}
-class sshd::centos inherits sshd::redhat {}
-
-class sshd::openbsd inherits sshd::base {
- Service[sshd]{
- restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
- stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
- start => '/usr/sbin/sshd',
- hasstatus => false,
- }
-}
-
-### defines
-# wrapper to have some defaults.
-define sshd::ssh_authorized_key(
- $type = 'ssh-dss',
- $key,
- $user = 'root',
- $target = 'absent',
- $options = 'absent'
-){
-
- case $target {
- 'absent': {
- case $user {
- 'root': { $real_target = '/root/.ssh/authorized_keys' }
- default: { $real_target = "/home/${user}/.ssh/authorized_keys" }
- }
- }
- default: {
- $real_target = $target
- }
- }
- ssh_authorized_key{$name:
- type => $type,
- key => $key,
- user => $user,
- target => $real_target,
- }
- case $options {
- 'absent': { info("not setting any option for ssh_authorized_key: $name") }
- default: {
- Ssh_authorized_key[$name]{
- options => $options,
- }
- }
+ if $use_shorewall{
+ include shorewall::rules::ssh
}
}
diff --git a/manifests/linux.pp b/manifests/linux.pp
new file mode 100644
index 0000000..f659808
--- /dev/null
+++ b/manifests/linux.pp
@@ -0,0 +1,8 @@
+class sshd::linux inherits sshd::base {
+ package{openssh:
+ ensure => present,
+ }
+ File[sshd_config]{
+ require +> Package[openssh],
+ }
+}
diff --git a/manifests/openbsd.pp b/manifests/openbsd.pp
new file mode 100644
index 0000000..f1379d7
--- /dev/null
+++ b/manifests/openbsd.pp
@@ -0,0 +1,8 @@
+class sshd::openbsd inherits sshd::base {
+ Service[sshd]{
+ restart => '/bin/kill -HUP `/bin/cat /var/run/sshd.pid`',
+ stop => '/bin/kill `/bin/cat /var/run/sshd.pid`',
+ start => '/usr/sbin/sshd',
+ hasstatus => false,
+ }
+}
diff --git a/manifests/redhat.pp b/manifests/redhat.pp
new file mode 100644
index 0000000..e9bf1d1
--- /dev/null
+++ b/manifests/redhat.pp
@@ -0,0 +1,5 @@
+class sshd::redhat inherits sshd::linux {
+ Package[openssh]{
+ name => 'openssh-server',
+ }
+}
diff --git a/manifests/ssh_authorized_key.pp b/manifests/ssh_authorized_key.pp
new file mode 100644
index 0000000..2d528da
--- /dev/null
+++ b/manifests/ssh_authorized_key.pp
@@ -0,0 +1,36 @@
+# wrapper to have some defaults.
+define sshd::ssh_authorized_key(
+ $type = 'ssh-dss',
+ $key,
+ $user = 'root',
+ $target = 'absent',
+ $options = 'absent'
+){
+
+ case $target {
+ 'absent': {
+ case $user {
+ 'root': { $real_target = '/root/.ssh/authorized_keys' }
+ default: { $real_target = "/home/${user}/.ssh/authorized_keys" }
+ }
+ }
+ default: {
+ $real_target = $target
+ }
+ }
+ ssh_authorized_key{$name:
+ type => $type,
+ key => $key,
+ user => $user,
+ target => $real_target,
+ }
+
+ case $options {
+ 'absent': { info("not setting any option for ssh_authorized_key: $name") }
+ default: {
+ Ssh_authorized_key[$name]{
+ options => $options,
+ }
+ }
+ }
+}